How can a U.S. government report on identity not mentioned FIPS 201?
By Salvatore D’Agostino, IDmachines
IDmachines recently had the opportunity to go through the National Security Telecommunications Advisory Committee (NSTAC) report to the President on Identity Management. This is an encouraging document in that it calls out:
- Cabinet level position for identity
- Interoperability, trust and choice as basis for implementation.
What is confusing is the document’s miss on the efforts to date that address most of these needs. The following analysis provides further details on what’s in and out of the document andIDmachines‘ interpretation.
To reinforce a couple of major points, power in DC and the federal government is all about budget. Other countries are making serious identity investments. The U.S. government, with the President’s leadership and Congress’ backing, needs to step up and fund these recommendations.
NSTAC meet NIST!
Where are the acknowledgments of Federal Information Processing Standard 201 and the related efforts of the National Institute of Standards and Technology and the U.S. Department of Commerce as required by HSPD-12. FIPS 201 provides architecture to meet the NSTAC recommendations.
Finally, look at and leverage how FIPS 201 has grown into Personal Identity Verification – Interoperability (PIV-I). Look at how other critical infrastructure sectors and other industries that interact with the Federal government have leveraged FIPS 201 and the Federal Bridge Certificate Authority to achieve these goals.
I know I am repeating things here but I am a little surprised that those involved in these recommendations could not make this connection. In fact we are very close to being able to achieve the goals, industry and government have partnered to make real progress. Significant sums have been invested. State and local governments and commercial enterprises are on board and moving ahead. Identity matters.
IDmachines’ Analysis of the NSTAC Report to the President on Identity Management Strategy
The NSTAC is an important policy body made up of up to 30 industry chief executives from telecommunication, network, information technology, finance and aerospace companies. It addresses critical national security and emergency preparedness (NS/EP) issues. It published its identity management strategy report to the President on 21 May 2009. The report is now generally available here.
It makes the obvious but important statement that National Security/Emergency Preparedness users have the same characteristics as Internet users and importantly they take advantage of a common infrastructure. It proceeds to state that there is a need to identify NS/EP emergency responders and facilitate their authentication and authorization on these networks.
In fact the need is even more widespread as many of us depend on so-called cyber applications in some way. Secure, privacy protected and efficient identification is a quid pro quo for anyone to fully leverage the information, applications and services of the Internet and other modern means of communications. In any case the recommendations will necessarily have to take this wider need into account.
The report highlights the following statement in its Executive Summary:
“The evolving threat environment, coupled with the increasing reliance on communications networks, requires the development of a national, comprehensive Identity Management vision, strategy, policy and implementation procedures.”
It calls for a federation of interoperable identity management processes and that this federation would involve three operational characteristics:
- Trust Anchors
- Choice-based participation.
The executive summary goes on to say the identity management strategy should embrace commercial providers, address privacy and civil liberties, allow choice by the enterprise, program and individuals, yet maintain standards. As far as IDmachines can tell this is exactly what a large number of organizations, across end-users, integrators and vendors have been doing for the last five years since HSPD-12 was published. IDmachines is glad to hear there is clear direction to stay the course, even if the directive is not recognized.
Also, in the report’s Executive summary:
“With respect to Governmental organization and coordination, establish a single, authoritative and comprehensive Dim governance process with a dedicated mission and office under an accountable official reporting directly to the President, embracing all Federal policy, technology, and Dim application activities related to both screening and access controls. The established lead official should have control over defined ID management programs and resources across Government, including budget, as needed to advance Federal Dim under a single coherent strategy.”
Centralizing identity in a single office is an excellent though not new idea and follows a lead set by other countries including very recently India. The one word that matters for a change above is “budget.” The progress that has been made to date has been the result of an unfunded mandate. Taking this into account the evolution of FIPS 201 Personal Identity Verification and its 2.0 evolution into Personal Identity Verification – Interoperability (PIV-I) is pretty impressive.
Now if there was program and project funding, guidance on grants (where funding already exists) and recognition of the economic and social benefits then we might really be getting somewhere. In addition this remains a national competitiveness issue particularly given the significant investments being made in dozens of other countries.
Also in the introduction it calls out:
With respect to public-private programs, direct the appropriate federal government departments and agencies to work with the private sector to develop and advance a comprehensive and progressive ID management research and development agenda, focusing on Government-civil Dim interoperability.
While a research and development agenda is a reasonable part of the policy (IDmachines believes that the evolution of PIV-I holds tremendous opportunities for innovation across sectors and application) at the same time the report makes it sound like federated identity management is not ready for prime time. This is far from the case, in fact there are commercial off the shelf solutions for credentialing, logical and physical access control and other related applications.
There exist both products and services that scale to the enterprise and federation and meet the type of Dim called out in this report. Simply take a look at the General Services Administration Approved Products List to see the breadth of solutions based on FIPS 201. It is disappointing in the extent to which this document does not reference HSPD-12, FIPS 201 or PKI other than one footnote reference the Federal Bridge. How can the council ignore/fail to highlight billions invested directly related in its recommendations to the President!
Yes, the government needs to put its house in order. It needs to stop making the silly mistake of developing multiple identity credentials that do not meet the basics set out above in particular interoperability and trust. At one point there were (and there may still be) more than 40 ID programs in DHS alone and the last timeIDmachines checked there was little, if no, interoperability.
IDmachines agrees with the recommendations:
- Leadership on ID management
- National office under the Executive Office of the President
- Develop an agenda to address:
- Government organization and coordination
- Public-private Dim programs
- Policy and legislative coordination
- National privacy and civil liberties culture
IDmachines applauds the broad definition of identity adopted in the document, specifically: “ID management covers a broad scope, including both digital and physical identification of individuals, applications, devices, objects, and information.”
As mobile devices expand their functionality the need for strong authentication of the device as well as the user becomes one of the most important short-term challenges facing the information technology, identity and security industries (which in fact are one and the same).
At the same time the report identifies ID management as a critical enabler of homeland security priority agenda items and it reinforces the need to bring physical access control under the Dim umbrella.IDmachines applauds the NSTAC for repeating and reinforcing this need as it did in 2003. In doing so this report defines identity and convergence as the combination of people and device and logical and physical domains.IDmachines has long held this is the only way to view identity and security. This approach has relevance across critical infrastructure and forms the basis for any modern network importantly including the electrical or “smart” grid.
On privacy the report simply highlights the need for protection of privacy to be foundational to any ID management strategy. This simple statement is welcome. In this same section it makes the point that requiring identification for anonymous activity does not make sense. Again a very good piece of design advice and it calls out Web browsing as an example. Some recent actions by the government are contrary to this point and should take the NSTAC guidance into account.
The report provides a useful list of ID management benefits. It includes both hard and soft economic benefit categories. It would be more useful to have included an overt statement on the return on investment but the emphasis and highlighting of the benefits provides a citable list that members of the industry can call on when making the argument about their business, enterprise activity or ID management investment.
The report discusses the problems in the current operating environment yet fails to discuss the opportunities that exist. This point is the same as the earlier one about “ignoring” FIPS 201.
The same issue exists with the next section (5.0 Need for an Identity Strategy), it open with an all inclusive statement: “Current Government and private sector ID management systems are numerous and stove-piped, causing redundancy and inefficient and uncoordinated ID management efforts.
In fact interoperability among government agencies and between DoD and CertiPath organizations exist today. FiXs recently aligned for the same reason. While stove pipe may be true for some information and communications technology (ICT) companies, it is not, as an example, true for aerospace and should not be for the defense industrial base.
In fact interoperability among government agencies and between the U.S. Department of Defense and CertiPath organizations–as just two examples–exist today. While this is true for information and communications technology (ICT) it is not, as an example, true for aerospace.
The report does say there are some programs that exist that could be used as models. “Realistic potential exists for the private sector and individuals to benefit from participation in a federation of interoperable ID management processes.”
In fact it should call out the fact that real progress has been made already. As an example the SAFE BioPharma Association has cross-certified to the Federal Bridge Certificate Authority and promotes benefits that include risk mitigation, IT system interoperability, facilitates the use of regulatory compliant digital signatures as well as green benefits. In fact both CertiPath and SAFE are part of the 4 Bridges Forum an organization and that seems to be ignored by this report.
In the Findings and Conclusions section of the report correctly points out that: “The administration’s commitment to broadening transparency throughout Government will likely have cybersecurity implications and increase the need for an implementable federation of interoperable ID management processes.”
While not directly related to the communications sector there clearly exists a need for strong identity management and authentication in association with the desire for transparency of the bail out and stimulus monies being spent. A very small percentage of the monies dedicated in these areas could likely provide the foundation of the ID management (and even better for strong identity credentials that adhere to FIPS 201) required by the relevant businesses involved in receiving these government funds.
IDmachines completely agrees with the statement in Conclusions that “If ID management stakeholders do not address the fundamentals now, then more isolated Dim systems will emerge and it will become more difficult to adopt viable comprehensive and interoperable Dim solutions in the future.” Again, recognition needs to take place of those who are addressing the fundamentals of strong authentication, interoperability and trust anchors as mentioned earlier in this analysis.
The Recommendation reiterates the need for a national ID management office.IDmachines strongly backs this goal and the associated statement: “to develop a coordinated programmatic agenda to implement a comprehensive ID management vision and strategy to address, at a minimum, four component areas, specifically: Government organization and coordination; public-private ID management programs; policy and legislative coordination; and national privacy and civil liberties culture.”
IDmachines would add the statement that the ID management office should look to build off the work already done and the investment made in PIV-I to achieve this goal.
Image Source: National Institute of Standards and Technology.